From b77b9d374c3c089c0bdf42de9447aac79769e039 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 12 Jul 2020 11:19:13 +0530 Subject: [PATCH 1/2] Update threat-actor.json --- clusters/threat-actor.json | 62 +++++++------------------------------- 1 file changed, 11 insertions(+), 51 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index df7cb52..3a9c3c8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -606,13 +606,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", @@ -982,15 +975,11 @@ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", "https://www.crowdstrike.com/blog/storm-chasing/", - "https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", - "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf" + "https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" ], "synonyms": [ "Black Vine", - "TEMP.Avengers", - "Zirconium", - "APT 31", - "APT31" + "TEMP.Avengers" ] }, "related": [ @@ -1555,16 +1544,11 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "http://www.crowdstrike.com/blog/whois-samurai-panda/", - "https://www.cfr.org/interactive/cyber-operations/sykipot", - "https://www.secureworks.com/research/threat-profiles/bronze-edison" + "http://www.crowdstrike.com/blog/whois-samurai-panda/" ], "synonyms": [ "PLA Navy", - "APT4", - "APT 4", - "Wisp Team", - "BRONZE EDISON" + "Wisp Team" ] }, "related": [ @@ -1581,13 +1565,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7", @@ -5150,36 +5127,17 @@ "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919", - "https://www.cfr.org/interactive/cyber-operations/sykipot" + "https://www.cfr.org/interactive/cyber-operations/sykipot", + "https://www.secureworks.com/research/threat-profiles/bronze-edison" ], "synonyms": [ "PLA Navy", + "APT4", + "APT 4", + "BRONZE EDISON", "Sykipot" ] }, - "related": [ - { - "dest-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", "value": "Maverick Panda" }, @@ -7427,6 +7385,7 @@ "refs": [ "https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/", "https://duo.com/decipher/apt-groups-moving-down-the-supply-chain", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists", "https://twitter.com/bkMSFT/status/1201876664667582466", "https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain", @@ -7436,6 +7395,7 @@ "synonyms": [ "APT 31", "ZIRCONIUM", + "JUDGMENT PANDA", "BRONZE VINEWOOD" ] }, From c33f4c76111c34b40b1130bd7fbec0e29b863dd1 Mon Sep 17 00:00:00 2001 From: Rony Date: Sun, 12 Jul 2020 12:57:24 +0530 Subject: [PATCH 2/2] Update threat-actor.json Moved the JUDGMENT PANDA references to APT31 following the previous commit. Off note, Crowdstrike quietly removed the JUDGMENT PANDA section from its GTR-2019 report. However if anyone wants to grab the unchanged report, they can get it [here](https://b-ok.asia/book/3697424/2ab30a). --- clusters/threat-actor.json | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3a9c3c8..91ea390 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7177,17 +7177,6 @@ "uuid": "7e37be6b-5a94-45f3-bdeb-f494c520eee3", "value": "Salty Spider" }, - { - "description": "This adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL 'web bugs' and scheduled tasks to automate credential harvesting.", - "meta": { - "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" - ] - }, - "uuid": "d7a41ada-6687-4a6b-8b5c-396808cdd758", - "value": "Judgment Panda" - }, { "description": "In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.", "meta": { @@ -7379,7 +7368,7 @@ "value": "Silent Librarian" }, { - "description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.", + "description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.", "meta": { "country": "CN", "refs": [ @@ -7390,7 +7379,9 @@ "https://twitter.com/bkMSFT/status/1201876664667582466", "https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", - "https://www.secureworks.com/research/threat-profiles/bronze-vinewood" + "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "APT 31",